VMware Cloud on AWS – Security VPC Reference Architecture 1 Deploy a software-defined data center (SDDC) into

an SDDC group. This automatically builds a

Integrate third-party firewall appliances into VMware Cloud on AWS by leveraging the VMware Transit Connect. VMware-managed Transit Gateway (VTGW) and
establishes connectivity between SDDCs via the
VTGW.
Internet Destination Target
Build a security virtual private cloud (VPC) with
Destination Target 2
SecVPC-CIDR local access to the internet via an internet gateway (IGW).
VMware Cloud on AWS SecVPC-CIDR local VPC-ALL-CIDR Transit Gateway
Create one public subnet with access to the IGW
- SDDC Group 0.0.0.0/0 IGW OnPrem-CIDR Transit Gateway
3 and connect it to the firewall internet-bound elastic
Internet
Gateway network interface (ENI). Network interface (Eth1/3)
0.0.0.0/0 FW-ENI-Eth1/1
VMware Cloud on AWS is assigned to an internet security zone (also called
2 zone “Internet”) within the firewall appliance.
- SDDC01 Security VPC Amazon VPC
On-Premises
(Workload VPC01) Provision one private subnet that will be attached
Data Center
4 to the VTGW, with a dedicated route table to
subnet-03 3 push all SDDC outbound traffic to the firewall
Zone-Internet interface (Eth1/2), which is assigned to a security
zone for the SDDC group (Zone “SDDC”).
1
Deploy another private subnet with a separate
Eth-1/3 5 5 route table to be attached to the customer
subnet-02 subnet-01 managed AWS Transit Gateway and the firewall
8 Eth-1/2 Eth-1/1 7 Direct AWS Direct
interface (Eth1/1), which is assigned to a separate
security zone for the AWS native side (Zone “AWS”).
VMware Transit AWS Transit Gateway Connect Connect
Connect (VMware
Zone-SDDC Zone-AWS Gateway Provision a third-party (zone-based) firewall
VMware Cloud on AWS 6 (Customer managed) 6
managed Transit appliance within the Security VPC to provide
- SDDC02 Firewall Appliance
Gateway) 4 transitive routing and policy inspection from zone
SDDC to zone AWS and the Internet zone.
Amazon VPC
“Source/Destination Check” must be disabled on all
(Workload VPC02) ENIs attached to the firewall. For internet access,
source network address translation (SNAT) must be
Destination Target Destination Target configured on firewall appliance to maintain route
VPC01-CIDR tgw-vpc01-attachment
symmetry.
VPC-ALL-CIDR Eth1/1
Destination Target Destination Target VPC02-CIDR tgw-vpc02-attachment Create a new (or attach the existing) customer-
OnPrem-CIDR Eth1/1 7 managed AWS Transit Gateway to the Security VPC
SDDC01-CIDR vtgw-sddc01-attachment SecVPC-CIDR local SDDC-ALL-CIDR Eth1/2 OnPrem-CIDR DXGW using subnet-01. This provides transitive routing
SDDC02-CIDR vtgw-sddc02-attachment SDDC-ALL-CIDR VTGW between SDDCs and existing workload VPCs and on-
0.0.0.0/0 Eth1/3 SDDC-ALL-CIDR tgw-secvpc-attachment
premises data centers.
0.0.0.0/0 vtgw-secvpc-attachment 0.0.0.0/0 FW-ENI-Eth1/2 0.0.0.0/0 tgw-secvpc-attachment
Attach the Security VPC to the VTGW using subnet-
(Optional) 8 02. Configure a static default route at the VTGW
towards the Security VPC attachment. All SDDC
outbound traffic to the internet, and inbound access
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. from the internet will be enforced to go through the
firewall appliance within the Security VPC.